CrowdStrike Running Job Guide

Ensure CrowdStrike Falcon Is Running — Job Deployed via Policy

This guide shows a job that checks whether the CrowdStrike Falcon sensor service (CSFalconService) is running and, if not, starts it. The job is deployed to endpoints using a JobUpdate policy. Same pattern as the Windows Defender Running Job Guide.

Audience: IT admins deploying Keeper Privilege Manager on Windows with CrowdStrike Falcon sensor.

What the Job Does

Checks the status of the CSFalconService service (CrowdStrike Falcon Sensor).
If the service is stopped, starts it with Start-Service -Name CSFalconService.
If the service is already running, does nothing and exits successfully.
Runs on a schedule (default: every 60 minutes) and on Startup, so the Falcon sensor is periodically verified and restored if it was stopped.

The job uses a single PowerShell task in the Service context. The agent typically runs as LOCAL SYSTEM, which can start the CrowdStrike service.

Prerequisites

Keeper Privilege Manager agent installed and running on Windows.
CrowdStrike Falcon sensor installed (so the CSFalconService exists).
PowerShell at C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
Ability to create JobUpdate policies and run Process Configuration Policies (e.g. from Keeper Admin Console).

Job Definition (full JSON)

Use this job JSON in a JobUpdate policy (Extension.JobJson) or save as Jobs/ensure-crowdstrike-running.json for file-based deployment.

{
  "id": "ensure-crowdstrike-running",
  "name": "Ensure CrowdStrike Falcon is running",
  "description": "Checks if the CrowdStrike Falcon sensor service (CSFalconService) is running; if not, starts it. Deploy via JobUpdate policy. Runs on schedule (default every 60 min) and on Startup.",
  "enabled": true,
  "asUser": false,
  "priority": 5,
  "schedule": {
    "intervalMinutes": 60
  },
  "events": [
    { "eventType": "Startup" }
  ],
  "parameters": [],
  "tasks": [
    {
      "id": "check-and-start-crowdstrike",
      "name": "Check CrowdStrike Falcon service and start if stopped",
      "ExecutionType": "Service",
      "command": "powershell.exe",
      "executablePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "arguments": "-NoProfile -ExecutionPolicy Bypass -Command \"& { $s = Get-Service -Name CSFalconService -ErrorAction SilentlyContinue; if (-not $s) { exit 1 }; if ($s.Status -ne 'Running') { Start-Service -Name CSFalconService -ErrorAction Stop }; exit 0 }\"",
      "expectedExitCode": 0,
      "timeoutSeconds": 30,
      "continueOnFailure": false
    }
  ],
  "mqttTopics": { "allowedPublications": ["KeeperLogger"], "allowedSubscriptions": [] },
  "osFilter": { "windows": true, "linux": false, "macOS": false }
}

Deploy the Job via JobUpdate Policy

Create a JobUpdate policy in your policy store or Keeper Admin Console with:
- PolicyType: JobUpdate
- Status: enabled
- Extension:
  - JobId: ensure-crowdstrike-running
  - Action: Add
  - JobJson: The full job object above (single line or formatted).

Example policy structure:

{
  "PolicyId": "deploy-ensure-crowdstrike-running",
  "PolicyName": "Deploy job: Ensure CrowdStrike Falcon is running",
  "PolicyType": "JobUpdate",
  "Status": "enabled",
  "Extension": {
    "JobId": "ensure-crowdstrike-running",
    "Action": "Add",
    "JobJson": {
      "id": "ensure-crowdstrike-running",
      "name": "Ensure CrowdStrike Falcon is running",
      "description": "Checks if the CrowdStrike Falcon sensor service (CSFalconService) is running; if not, starts it.",
      "enabled": true,
      "asUser": false,
      "priority": 5,
      "schedule": { "intervalMinutes": 60 },
      "events": [{ "eventType": "Startup" }],
      "parameters": [],
      "tasks": [
        {
          "id": "check-and-start-crowdstrike",
          "name": "Check CrowdStrike Falcon service and start if stopped",
          "ExecutionType": "Service",
          "command": "powershell.exe",
          "executablePath": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
          "arguments": "-NoProfile -ExecutionPolicy Bypass -Command \"& { $s = Get-Service -Name CSFalconService -ErrorAction SilentlyContinue; if (-not $s) { exit 1 }; if ($s.Status -ne 'Running') { Start-Service -Name CSFalconService -ErrorAction Stop }; exit 0 }\"",
          "expectedExitCode": 0,
          "timeoutSeconds": 30,
          "continueOnFailure": false
        }
      ],
      "mqttTopics": { "allowedPublications": ["KeeperLogger"], "allowedSubscriptions": [] },
      "osFilter": { "windows": true, "linux": false, "macOS": false }
    }
  }
}

Assign the policy to the desired Windows collections or machines (where Falcon sensor is installed).
Run Process Configuration Policies on the agents so they receive the job:
- Rely on the normal schedule (e.g. after policy sync), or
- Trigger manually: POST https://127.0.0.1:6889/api/Jobs/process-configuration-policies/run (Admin auth).
Confirm the job is present: GET https://127.0.0.1:6889/api/Jobs — you should see ensure-crowdstrike-running.

When the Job Runs

Startup — Runs once when the agent (or machine) starts.
Every 60 minutes — Per schedule.intervalMinutes. Change intervalMinutes in the job JSON if you want a different interval.

No manual trigger is required unless you want to run it once on demand (e.g. POST .../api/Jobs/ensure-crowdstrike-running/run).

Verification

Service status (PowerShell):
```
Get-Service -Name CSFalconService
```
Status should be Running after the job has run (or after starting it manually for testing).
Agent logs: Check for task check-and-start-crowdstrike and any PowerShell or service errors.

Run job once (optional):

Invoke-RestMethod -Method Post -Uri "https://127.0.0.1:6889/api/Jobs/ensure-crowdstrike-running/run" -SkipCertificateCheck

Troubleshooting

Issue

What to check

Job not on endpoint

JobUpdate policy assigned; Process Configuration Policies has run; GET /api/Jobs shows the job.

Exit code 1

CSFalconService may not exist (Falcon sensor not installed or different product); check Get-Service CSFalconService on the machine.

Access denied starting service

Agent must run as an account that can start services (e.g. LOCAL SYSTEM).

Start-Service fails (e.g. "Disabled" state)

The service must be set to Automatic or Manual; if it is Disabled, Start-Service will fail. Use Set-Service -Name CSFalconService -StartupType Automatic (in an elevated prompt) or services.msc.

Different interval

Edit JobJson in the policy: change schedule.intervalMinutes (e.g. 30), then run Process Configuration Policies again (or use JobUpdate Action Update with the full revised job).

Reference

Job id: ensure-crowdstrike-running
Job file (if not using policy): Jobs/ensure-crowdstrike-running.json
Service name: CSFalconService (CrowdStrike Falcon Sensor)
Platform: Windows only.

For the same pattern applied to Windows Defender, see Windows Defender Running Job Guide. For general job and policy details, see the Getting Started docs (Jobs definition and format, Create/Modify/Delete job).

PreviousReference NextDefault Jobs

Last updated 20 hours ago

Was this helpful?

hashtagWhat the Job Does

hashtagPrerequisites

hashtagJob Definition (full JSON)

hashtagDeploy the Job via JobUpdate Policy

hashtagWhen the Job Runs

hashtagVerification

hashtagTroubleshooting

hashtagReference